1
0
mirror of https://github.com/PrivSec-dev/privsec.dev synced 2024-12-22 04:41:33 -05:00

fix(linux/Docker and OCI Hardening): correction on no_new_privs option (#223)

This commit is contained in:
xyhhx 2024-04-19 02:49:30 +00:00 committed by GitHub
parent d824a1ccae
commit 4ef5e890de
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -136,7 +136,7 @@ After ensuring root isn't used in your containers, you should look into setting
``` ```
security_opt: security_opt:
- no-new-privileges: true - "no-new-privileges:true"
``` ```
Gaining privileges in the container will be much harder that way. Gaining privileges in the container will be much harder that way.
@ -255,4 +255,4 @@ Still not convinced? What if I told you a container can leverage the same techno
If you're running untrusted workloads, I highly suggest you consider gVisor instead of a traditional container runtime. Your definition of "untrusted" may vary: for me, almost everything should be considered untrusted. That is how modern security works, and how mobile operating systems work. It's quite simple, security should be simple, and gVisor simply offers native security. If you're running untrusted workloads, I highly suggest you consider gVisor instead of a traditional container runtime. Your definition of "untrusted" may vary: for me, almost everything should be considered untrusted. That is how modern security works, and how mobile operating systems work. It's quite simple, security should be simple, and gVisor simply offers native security.
Containers are a popular, yet strange world. They revolutionized the way we make and deploy software, but one should not loose the sight of what they really are and aren't. This hardening guide is non-exhaustive, but I hope it can make you aware of some aspects you've never thought of. Containers are a popular, yet strange world. They revolutionized the way we make and deploy software, but one should not loose the sight of what they really are and aren't. This hardening guide is non-exhaustive, but I hope it can make you aware of some aspects you've never thought of.